One new and exciting area is the use of artificial intelligence (AI) in fighting cyber-attacks and threats. Promises and references found in marketing messages from industry players in abundance. It is challenging to assess the correct abilities and feasibility of these, so my blog focuses on a few high-tech suppliers (Bluehexagon and ExtraHop) and their implementation of the data network in practice. This AI-based cybersecurity analysis and control solutions are still expensive even for large companies, but in the Data Center, it is highly recommended to mitigate the security risks.

Why does artificial intelligence overcome traditional methods?

Both manufacturers market ultrafast threat detection, almost real-life tracking, and a complete network snapshot by explicitly analyzing network traffic. The critical arguments for the necessity of the service and the implementation model can found in three claims:
  1. The traditional "fingerprint after" based on virus and vulnerability detection in workstations, firewalls, attack protection systems, or proxy/sandbox systems is too slow. Research shows that new threats occur on the Internet every 4 seconds. Therefore, the definition and distribution of the fingerprints of security companies to control systems are always about 24 hours late.
  2. More than half of the network traffic is currently encrypted. It is difficult to detect and combat malicious activity or malware online using traditional methods. As an example, Network Behavior (NBAD) which causes more false alarms than the perception of any relevant.
  3. Network services systems are vast and complex. Operating models and organizations are in silos because of this. The common situational picture has improved, e.g., by SIEM systems. SIEM use in practice, however, requires the use of artificial intelligence in terms of volumes and relations being far too large for humans. Analyzing events with artificial intelligence, the SIEM concept, however, takes place with a lag, which can be fatal.

How is AI-based technology integrated into the network?

Bluehexagon and ExtraHop® high tech enthusiasts eventually ask two questions that are hard to find in manufacturers' marketing materials.
  1. How can the system catch up to the company's communications and reliably gain data for analysis on a switched and segmented network?
  2. How to implement data collection without changing the network architecture completely?  99.99% uptime?
The first and worst option is to mirror/copy from multiple Ethernet ports to a defined SPAN port where the AI sensor (appliance) is connected. The solution has numerous pitfalls from the analysis point of view.  A) SPAN port implementation is not passive. B) It changes the timestamp of traffic. C) It will drop half of the packets in the rush hour. D) It will remove corrupt frames, and some of the headings Prevent errors from appearing. The SPAN port can also be used to send traffic, i.e. it is itself a potential attack target. A better option is Network TAP. It is a passive network device through which traffic flows recycled. TAP copy traffic without packet loss and without changing anything. TAP, using an artificial intelligence-based analysis system or analysis network is isolated from the production network.  Look here to find the most suitable. Increasing the volume of data analyzed will also increase the costly AI analysis capacity. A Network Packet Broker (NPB) will be included in this section to help you. It allows you to filter and redirect the copied traffic to different centralized analysis systems with precise discretion.    

Benefits in operational activities.

Professional network administrators do not connect untested equipment to the production system or cause additional maintenance downtime on the production network. There is such a high threshold for starting testing, which is good to solve already in network architecture design.
  • TAP makes it easy to connect a variety of analysis and security systems reliably without touching the critical production network.
  • New Cyber Security AI technologies can be tested, and knowledge accumulated. At the same time, the production network can be considered as efficient and straightforward as possible.
  • TAP & NPB allows analysis capacity to optimize and save on investments, especially in Data Center environments.
  • Fewer maintenance breaks, less night shift, less catastrophic morning shifts due to a night configuration error, fewer customer claims, and penalty conversations.

Whether or not the new artificial intelligence-based security systems will redeem their place shortly remains to be seen, but there is a promising effect and there is an order. However, keep in mind that experiment results are reliable when based on a complete copy of production data and traffic.

  Hannu Rokka (Senior Advisor) 5Feet Networks Oy